Is there a "best" way to check to see if OpenLDAP replication is working?

I have one script that checks the ContextCSN of the root of the database, which works to a certain degree. However, even when that matches it seems that sometimes a "deep inspection" (actually traversing the whole database and comparing each entry individually) of the directory shows differences even when the ContextCSN of the directory root matches.

That's all our nagios check script does. If you're finding that there are still differences in the contents of the directory even when contextCSN matches, then there's likely something else going on. At least, I've never seen the situation you describe in our production openldap cluster.